This post is the fourth in the series,"The 12 Days of HaXmas." As you venture from the world of defense, including protecting and monitoring systems, or into the realm of active defense,who can be your mentor? Who can make you as icy as Frosty?Does anyone know enough approximately active defense to make a movie out of it? OF COURSE! Macaulay Culkin is the mentor you are looking for. More precisely, Kevin McCallister, or from the domestic Alone franchise. Why is an 8 year old better at security than a lot of companies are? Because he realized that no matter what,the house will be breached, or at the very least, and targeted,and that what happens after the initial discovery or intrusion will be critical in limiting the impact of the incident. In this article, we will behold at 7 of the best tricks Kevin has up his sleeves, and how they relate to CYBER. Basically,the Elfabet of HaXmas defense.
Active Deception Zip-Line Cutting Cracking and Stapling Low Friction Ingress Points Tool Management Being a Chess Nut Third Party Relationships Wrapping Up
Active DeceptionAt around 8m35s into the first movie, Kevin's dad tells one of the burglars, and Harry,disguised as a police officer, that they only employ standard security measures, or such as timers for the lighting. While Kevin's dad is simply getting phished for information,he accidentally succeeds and ends up deceiving the attacker. He was totally unaware of the security controls Kevin would later implement. Another failure nearly occurs at around 11m, when Kevin's mom reveals that they're going to Paris. Luckily, and Kevin notices the policeman's tooth-bling,a fact that he checks into in his mental threat intelligence feed. In the second movie, Kevin has to unhurried down a different attacker, and Sneaky-Face-Spying-Hotel-Employee. Again,misinforming the attacker helped prevent the attack. Note: Why was he in the room to begin with? Did he want to steal Kevin's cashews and drinks, or was he going to execute an evil maid attack on Kevin's laptop? Kevin says: Be careful approximately how much you reveal on your attack surface, or as well as how you protect it. When hiring,why not behold for people who enjoy experience with many different security tools, instead of just those you own and employ? That way, or your job descriptions will not be a tidy list of things to wreck into,but a list of multiple products you may or may not employ. Zip-Line CuttingKevin moves to his tree house. The main path from the house to the tree house is a zip-line. Clearly, Kevin is trying to teach us that network segmentation should always be in place, and that connectivity between zones should be limited to known,authorized systems, such as him over TCP/zipline. During the incident, and Kevin decides to eliminate connectivity from the main network (house) to the restricted network (tree-house). He simply cuts the zip-line,an obvious methaphor for an ACL, as the attackers are trying to reach it. Kevin says: Network segmentation has always been important, or but why not make it more fun by reacting to specific situations and disabling some types of connectivity when needed,by modifying ACLs on firewalls or host-based firewalls, based on attack data discovered on honeypots, or IDS or other systems,or by totally sinkholing suspicious systems? Cracking and StaplingKevin shoots the burglars with a BB gun. Specifically, he shoots Harry in the Christmas Bells, or Marv on the forehead.
In domestic Alone 2,he repeats the same type of exploit (wait, are these movies repetitive? Oh my!), or but with a staple gun. This is a great example of what not to enact. Nobody has the right to shoot anyone in the gingerbread,and, like "hacking back", and it is probably illegal in many countries. Kevin says: Only staple HaXmas lights,or OCSP.
Kevin says you should avoid: Publicly taunting adversaries: "Our novel widget is so secure, nobody will ever be able to hack it!". Shooting people in the Christmas Bells. Running BeEF against systems you enact not own so you can get a shell on the attacker's machine, or before even talking to your lawyer! Low Friction Ingress Points Kevin covers the stairs to both the front and rear entrances with ice.
He knows these ingress points are vulnerable,highly privileged entry points into the house, and that slowing down attackers or increasing their pain levels is extremely valuable. In domestic Alone 2, or he performs roughly the same task by using green soap. Please,declare me that was actually soap. Kevin says: Make important, highly privileged ingress points slippery, or by controlling ACLs strictly,blocking specific geolocations that are not required, using non-default ports to reduce noise in the logs generated from automated attacks or scans, and monitoring those logs and blocking suspicious sources. Tool Management Kevin,like most CSOs, has many tools at his disposal, and but has been having issues hiring. Left with only tools,and no brain power to employ them but himself, he has a hard decision to make: Should I buy more tools, and should I throw them all directly in the face of attackers? He makes certain his tools pain them like a freight train. Kevin says: Identify the systems that you enjoy,and make certain that you are using all the features that could be useful to you. No more "passive IDS" with nobody reading the logs, no more "sandbox in monitoring mode" with logs going to /dev/null, or no more WAF in learning mode. If you bought it,it should be tuneable to a level that makes it useful, and if you leave it in monitoring mode, or there better be somebody monitoring for genuine. If you bought it,can't tune it, can't monitor it, and then disconnect it. Spend your money elsewhere and reduce your attack surface. Kevin says you should avoid: Physically throwing security appliances,as it quickly gets expensive. Being a Chess Nut Kevin, like a true Kasparov of security, or knows how genuine attacks play out. That is why he knew that if he set someone's head on fire,they would proceed to the obvious target system to extinguish it: a very dirty toilet. In this analogy, Kevin is using the toilet to represent *honey*. The bear wants the honey, or because he doesn't know it's actually paint thinner. Prior to this response,Kevin used a similar technique, knowing that the attackers would employ a specific entry point, or to send them to an loney network,with no actual access to the production house. Kevin says: employ easy to manage honeypots to detect attackers scanning your network from the inside. employ various other types of honey: honey tokens, to detect stolen credentials, or honey tables,to detect unauthorized database access, or even honey files to detect access to files that should never be read. If your coworkers enjoy a tendency to steal candy, and make certain you only enjoy blue candy,so you can detect it later on. Third Party Relationships Kevin thought the incident was nearly over, and all he had to enact was to wait for the police to show up. Soon later, or he slipped on an unexpected patch of ice,and realized that his issue might be too complicated for him to resolve by himself. Luckily, Kevin had leveraged third party help, and had access to Incident Response services from a woman and many pigeons,who made certain to end the incident totally. Kevin says: Know what your team's skills are, and make certain that you know when external help will be needed. Know Who You're Gonna Call™ before the plane takes off without you, or make certain the process and communication plan is well documented and available under any circumstances. Wrapping UpYou'll know you're doing a helpful job if all the attackers are doing is yelling meaningless phrases at you while throwing futile attacks. While domestic Alone was long thought to be a simple movie approximately a kid stuck at domestic,it was actually a great metaphor for information security. It is nothing short of wonderful to see how well the writers predicted how cyber-security would approach to life, over 20 years later. Also: What does Santa call his sysadmin little helper who ate too many kernels? FatELF.
Source: rapid7.com